Bugzilla – Bug 7119
Enable MyProxyCA to include a certificate chain of intermediate CA certificates with EECs Issued
Last modified: 2011-02-28 09:09:28
You need to
before you can comment on or make changes to this bug.
The associated CA with a given MyProxyCA may itself be an intermediate CA
issued from a root CA or further intermediate CA. It would be a useful
addition to be able to configure the server so that these CA certificates were
returned in logon responses along with the new short term credential issued.
This would simplify the configuration of services consuming the credential
since they would need only to keep a copy of the respective root CA
certificate. In addition, tests with Java based services have shown that for a
given client certificate making a request over SSL, only the issuing
certificate is required to be present in the server's truststore. This means
that for client certificates issued as part of a trust chain of CA
certificates, the verification process is not completed back to the root CA
unless the complete chain of intermediate certificates is passed by the client.
Hi Philip. Our plan is to add a myproxy-server.config option for specifying the
path to a file containing one or more intermediate CA certificates to be added
to the certificate chain for every CA GET response. Does that sound like it
will provide what you need? We'll update this bug when it's in CVS so you'll
have an opportunity to test before release.
That sounds great - thanks.
Implemented a myproxy-server.config certificate_issuer_subca_certfile option.
Mods in CVS.
A release candidate is available for testing here:
$ openssl sha1 < myproxy-5.3rc1.tar.gz
When you get a chance, please give it a try and let us know how it works for
Thanks for getting this out so quickly. I've not had a chance to try it out
but will look at it soon and let you know.
Included in MyProxy 5.3 released 17 Jan 2011.
Please re-open this bug if any changes are required.